37.66.316 RELEASE OF CONFIDENTIAL RECORDS
(1) All information obtained and records prepared in the course of a state mental health facility providing service are confidential and privileged. Information and records may be disclosed to qualified personnel for the purpose of conducting scientific or genealogical research, but such personnel may not identify, directly or indirectly, any individual patient in any report of such research, or otherwise disclose patient identities in any manner.
(2) Consent of the patient is required in order to release information or records concerning an individual who is currently
an inpatient or who has been discharged within the 12 previous months. In the case of a patient who has been adjudicated incapacitated, any consent which is required under these rules may be given by the guardian or other person authorized under state law to act in the patient's behalf. If a written consent is needed to disclose information identifying a deceased patient, that consent may be given by an executor, administrator, or other personal representative appointed under applicable state law. If there is no such appointment, the consent may be given by the patient's spouse, or, if none, by any responsible member of the patient's family.
(3) Patient identifying information may be disclosed for the purpose of conducting research if the department director or, for records in state archives, the state archivist, makes a determination that the recipient of the patient identifying information:
(a) is qualified to conduct the research, as determined from the recipient's application for authorization of confidentiality;
(b) signs an oath of confidentiality; and
(c) agrees in writing to:
(i) maintain copies of the patient identifying information in accordance with security requirements;
(ii) destroy or deposit with the state archives all copies of the patient identifying information upon completion of the research. All information deposited with the state archives will be subject to retention rules of that agency.
(4) An application for authorization of confidentiality for a research project must be approved by the department and shall include the following:
(a) The name and address of the individual primarily responsible for the conduct of the research and the sponsor or institution with which he or she is affiliated, if any. Any application from a person affiliated with an institution will be considered only if it contains or is accompanied by documentation of institutional approval. This documentation may consist of a written statement signed by a responsible official of the institution, such as a graduate student's advisor or department chair;
(b) The location of the research project and a description of the facilities available for conducting the research, including the name and address of any hospital, institution, etc. to be utilized in connection with the research;
(c) Summaries of the applicant's and any other personnel having major responsibilities in the research project appropriate training and experience;
(d) An outline of the research project, including a clear and concise statement of the purpose and rationale of the research project and the general research methods to be used;
(e) The date on which research will begin and the
estimated date for completion of the project;
(f) An assurance that if an authorization of confidentiality is given it will not be represented as an endorsement of the research project or used to coerce individuals to participate in the research project.
(5) Security requirements shall include:
(a) Written records that are subject to these regulations must be maintained in a secure room, locked file cabinet, safe, or other similar container when not in use;
(b) Applicant must have a research protocol which has been reviewed by a group of at least two individuals knowledgeable in the field who are independent of the research project. Applicant must have a written statement that the protocol has been reviewed and it has been determined that the rights of the patients will be adequately protected and the risks in disclosing patient identifying information are outweighed by the potential benefits of the research;
(c) The information will be used only for the purposes for which it is being provided.